Presentation given in Berlin at AFE academy to explain dangers of cybercrime and the way to plan a strategy to improve cyber security

1. How to prevent a
disaster in cyberspace ?
The need for an international approach
to undermine the criminal cyber architecture
Berlin, 8 february 2012
Combating Cybercrime in Europe – fighting botnets
Optimised Tools for Investigation and Law Enforcement
© 2012 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime

2. Presentation
 @LucBeirens
Chief Commissioner
Head of the Federal Computer Crime Unit
Belgian Federal Judicial Police
Direction Economical and financial crime
Chairman of the EU Cybercrime task force
representing the organization of heads of
national hightech crime units of the EU

3. Topics - overview
 General trends today
 Cyber crimes and cyber criminals today
 What hinders the combat today ?
 A proposal for an integrated response
 Belgian experiences

4. General trends today
 Evolution towards e-society
 replace persons by e-applications
 Interconnecting all systems (admin, industrial, control)
 IP is common platform offered by many ISPs
integrating telephony / data / VPN & all new apps
=opportunities / Achilles tendon / scattered traces
 Poor security in legacy applications and
protocols (userid+pw)=> identity fraud is easy
 Enduser is not yet educated to act properly

5. What do criminals want ?
 Become rich / powerfull
rapidly, easily, very big ROI
in an illegal way if needed
 Destabilaze (e-)society
by causing troubles

6. How : cyber crimes today
 e-fraud => give money to the criminals
 spam => start for eFrauds / MW distrib
 hacking =>
 change content of your website (defacing)
 transfer money from the hacked system
 espionnage => know your victim
 use of hacked system =>
storage / spam / proxy / DNS / CC / DDOS
 DDOS distributed denial of service attacks

7. How to combat
cyber criminals ?
Analyse their methods and tools

8. Webserver / node
Computer
Crash
Hacker
Internet
Info Access line
Cmd
blocked
My IP is x.y.z.z
Command & Botnet attack on a webserver / node
Control Server

9. Interesting DDOS
 2004 UK : gambling website down (+ hoster + ISP)
 2005 Netherlands : 2 botnets : millions of zombies
 2005 Belgium : Commercial firm during social conflict
 2006 Sweden : Gov websites after police raid on P2P
 2007 Estonia : political inspired widespread DDOS attack
 2008 Georgia : cyber war during military conflict
 2010 Worldwide : Wikileaks cyberconflict
 2011 – 2012 : Anonymous attacks on Gov sites

10. What are botnets used for ?
Getting data & making money !
 Sometimes still for fun (scriptkiddies)
 Spam distribution via Zombie
 Click generation on banner publicity
 Dialer installation on zombie to make premium rate calls
 Spyware / malware / ransomware installation
 Espionage : banking details / passwords / keylogging
 Transactions via zombie PC
 Capacity for distributed denial of service attacks DDOS
=> disturb functioning of internet device (server/router)

12. Webserver / node
Hacker Knowledge server
Internet
trigger
event
MW update
Very frequent MW
update request
Malware update server
Command & Malware update / knowledge transfer
Control Server

13. Cyber criminal’s toolbox
 malware => trojan horses
 distribution via mail, p2p, social networks, websites
 auto-update & auto-propagation in network
 very high rate of new versions
 remote control of infected systems
=> botnets
 creation of knowledge databases
 collected & keylogged info of infected pc
 keyservers in safe haven countries

14. But the criminal cyber architecture
also includes ...
 Underground fora and chatrooms
 Botnets for hire
 Malware on demand / off the shelf packages
 Trade stolen Credit cards / credentials
 Money laundering services
 Organized Cyber criminals
 take over / set up ISP’s
 infiltrate in development firms

15. And the victims ?
 Who ?
 Communication networks and service providers
 Companies especially transactional websites
 Every internet user
 Reaction
 Unaware of incidents going on => dark number
 Victims try to solve it themselves
 Nearly no complaints made => dark number
 Result ? The hackers go on developing botnets

16. Risks
 Economical disaster
 Large scale : critical infrastructure
 Small scale : enterprise
 Individual & corporate (secret) data
 Loss of trust in e-society

17. Combined threat
 What if abused by terrorists ? Cyber army ?
... simultaniously with a real world attack?
 How will you handle the crisis ?
Your telephone system is not working !

18. Intermediate conclusions
 Society is very dependant of ICT
 eSociety is very vulnerable for attacks
 Urgent need to reduce risks on critical ICT
 Botnets as criminal cyber infrastructure
is common platform for lots of cybercrimes
=> undermine it and you reduce crime

19. Traditional way of law enforcement
to tackle cybercrime
 Reactive
 Register complaint => judicial case
 Hotlines (or cooperation with)
 (Eventualy) undercover operations
 Proactive (?)
 Who is doing what, where and how ?
 Patrolling the net
 Effective (?) but not undermining cybercriminals

20. What hinders an effective
combat of cyber crime ?
 Unawareness and negligence end user
 Lack of overall view on risks / incidents by
 Enterprise managers
 Political decision makers
 Combating : everyone on his own
 Lack of specialized investigators
 Jurisdictions limited by national borders
 Subscriber identity fraud
 Mobility of the (criminal) services in cloud

21. What actions are needed ?
Everyone plays a role in e-security
We have to do it as partners
We have to do it in an integrated way

22. Goals for operational
cybercrime action plan
 As “society” (= gov & private sector)
improve detection and get a view and act on
 criminal cyberinfrastructure especially botnets
 incidents threatening eSociety
 Strengthen robustness of ICT eSociety
 ISP’s / Enterprises / End users
 Weaken and dismantle
the criminal cyberinfrastructure
 Each partner within his role & competence

23. Preserve evidence Webserver / node
Report incident
Stop activity
Bring to court
Hacker
Internet
Take out of
order
Analyse to
identify hacker
& zombies Identify critical infrastructure
Alarm procedures
Preserve evidence
Prevent infection & MW autopropagation
Detect infections & desinfect
Botnetservers
CC, Knowledge, MW Actions against botnet architecture

24. Role of governments &
international organizations
 Working according a strategy
 Develop international plans & reaction schemes
for critical ICT infrastructure protection
 Develop legal framework
 Obligation to report cybercrime incidents
 Obligation to secure your computersystem (?)
 Possibility for ISP to cut off infected machines (?)
 Obligation to respond to requests of Gov authority
when serious incidents happen

25. Telecommunications sector
 Prevent / reduce SPAM
 Have to make there infrastructure robust
 Report serious incidents to CERT
 Integrated reaction with authorities
 Implement strong authentication in
internet protocols and services
 Detect negligent end users & react/help/cut off

26. Enterprises
 E-Security = business risk =>
management responsibility
 Think about how to survive when
e-systems are under attack
 Enforce detection of incidents – IDS ?
 Report incidents to CERT ? to police ?
 Integrate strong authentication in
e-business applications

27. Developers
 Strong authentication
 Use the strongest available but ...
 Think as a hacker
How can a transaction on an infected PC
be intercepted ?
 Store IP-addresses and timestamps
 of the end user ! not of the router !
 Needed in case of an incident !

28. Responsibilization of end user
 Awareness raising => media
 Training on e-security & attitude
 already at school
 in the enterprises
 Obligation to secure his PC properly ?

29. Role of police and justice ?
 Gather intelligence about Botnets
 Dismantle botnet servers
in your country
 Analyse Botnet-servers
to find traces to criminals
 Focus on knowledge servers & CC servers

30. EU Council strategy :
COSI priorities and OAP ?
 Standing Committee on Operational Cooperation on
Internal Security (COSI)
 EU Council body based on Lisbon Treaty (Art 71 TFEU)
 High-level representatives of MS Min Interior and EC
 Tasks
 to facilitate and ensure effective operational cooperation and
coordination in the field of EU internal security
 to evaluate the general direction and efficiency of operational
cooperation
 to assist the Council in reacting to terrorist attacks or natural or
man-made disasters (solidarity clause of Art 222 TFEU).
Overview COSI strategic goals and operational 30
action plans cybercrime

31. Harmony : the COSI
policy & implementation cycle
 Normally : 4 year cycle except first cycle : 2 year
 Policy
 Create view on security risks and crime phenomenae
 Determine priority domains (Cybercrime is prio 8)
 Determine strategic goals 4 (2) year
 Determine operational action plans OAP 1 year
 1 Driver to follow up Cybercrime domain
 1 or 2 leaders for each OAP
 7 strategic goals
31

32. COSI Strategy goals
1. Common legal standard (adapted)
2. User identification by Internet Governance
3. Enhance Police & Justice cyber capabilities
4. Establish European Cybercrime Center
5. Strategy to disrupt crim ict infra esp. botnet
6. PPP for prevention and detection
7. Reporting systems in each MS

33. Strategic Goal 4
To establish the European Cybercrime Centre (ECC)
to become the focal point
in the fight against cybercrime in the Union
contributing to faster reactions
in the event of cyber attacks
Overview COSI strategic goals and operational 33
action plans cybercrime

34. European Cybercrime centre
 Place, role, tasks, organization still not clear
 Study by Rand Europe => decision 1st half 2012
 At Europol ?
 Improve law enforcement efforts tackling cybercrime
 Tasks
 Intelligence focal point : monitoring, detection, collection,
analysis, alerting, information => core AWF Cyborg ?
 Develop a high level forensic capability
 Liaise with MS LEA, industry and internet governance
 R&D Develop good practices for prevention and PPP 34

35. Strategic Goal 5
To establish and implement
a common Union approach
to disrupt and dismantle
the criminal infrastructure in cyberspace,
especially botnets
35

36. International
Botnet actions

37. Problems with it ?

38. Belgian experience
 1 national FCCU +25 Regional CCU=175 officers
(computer forensics & cybercrime combat)
 2 specialized Federal prosecutors
minimum 1 ICT reference prosecutor / district
 FCCU analyses attacks on critical ICT infra
 BelNIS Gov Network information security
 Develops and organizes ICT security strategy
 Problem : no central authority
 Since 2009 : Cert.be for Gov and Critical infra

39. Belgian experience
 eBanking fraud => start of Malware analysis
 Gain insight in how it’s working
 Leads to detection of botnet-servers / bogus ISP’s
 Combined team cybercrime & financial investigators
 Building trust with law enforcement with other
countries
 Collaboration with several partners and organizations
=> Information send to & analysed by Cert.be
 Effective in dismantling of Botnet-servers (70 since ‘09)
 Impact of 1 Malware distribution server ? Analysis shows
 2 months 1,5 million downloads, 300.000 unique IP’s

40. Problems
 Botnet-servers often on victim’s servers
 But is it really a victim ?
 No knowledge-servers in BE
 Language problem during analysis CC-server
 Is it the role of the police / Cert ?
 If Cert does it (eg Finland)
 => fast but do we go after criminals afterwards ?
 Which incidents are severe enough to report to police ?
 If police does it
 Which botnet-servers do we analyse ?
 Malware analysis => help from AV-industry ?

41. Do we really have an impact ?
 Several hundreds of botnets
 5.000 – 10.000 botnet servers world wide
 Millions of infected end users
=> need for action in every country

42. Contact information
Federal Judicial Police
Direction for Economical and Financial crime
Federal Computer Crime Unit
Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74
Fax : +32 2 743 74 19
E-mail : luc.beirens@fccu.be
Twitter : @LucBeirens
Blog : LucBeirens.blogspot.com